By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

new book, Snort Cookbook, co-author Angela Orebaugh serves up recipes for foiling intruders. In this interview, she shares some tasty tips for using Snort and other free intrusion detection tools. Snort Cookbook, published by O'Reilly, was written by Orebaugh, Simon Biles and Jacob Babbin.

What capabilities does Snort have that might surprise or be underused by IT managers?

Angela Orebaugh: Snort has some powerful functionality built into the pre-processors. These include the ability to maintain state, fragmented packet reassembly, stream reassembly, HTTP normalization, application decoders, portscan detectors and performance monitoring.

Several of the pre-processors have anti-evasion techniques built in. Since enabling the preprocessors creates an additional load on the system, it is best to dedicate specific stand-alone Snort sensors for some of these features.

What is the most common mistake admins make in handling intrusion detection systems (IDS)?

Orebaugh: The biggest problem with any IDS is the fact that many organizations deploy it and forget about it. An IDS needs a lot of care and feeding on a daily basis.

IDS alerts do you no good if you are not actively looking at them. It is optimal to have an individual (or more staff, depending on the size of the organization) dedicated to intrusion detection as his/her sole responsibility. This person will actively review the logs on a daily basis, update rules as needed and perform more in-depth analysis looking for long term trending, low and slow attacks and even ways to improve network performance.

What do IT shops use instead of Snort, and why might Snort be a better option?

Orebaugh: From my experience, I have seen either a lot of the high-end commercial appliance products deployed or Snort.

Organizations with budget issues will choose Snort because it is free, and it has a lot of features and add-on tools to make it very usable. However, if you are looking to monitor high-bandwidth networks, Snort is not the best choice; that is where the appliance option would work better. Snort is not very optimized for that type of environment.

I have also seen a number of organizations deploy Snort in addition to the commercial product, just as a [system of] checks and balances and for additional monitoring.

What tools, particularly open source tools, work well in conjunction with Snort?

Orebaugh: My first and foremost recommendation is Barnyard.

Barnyard takes the output processing load off of Snort to let Snort do what it does best, capture and process packets. ACID/BASE is another great tool that allows you to view, analyze and graph Snort logs. A few others that I recommend are Snortsnarf, SWATCH, SnortCenter, IDS (intrusion detection system) Policy Manager and Snort Alert Monitor.

What's tricky about installing Snort in heterogeneous environments?

Orebaugh: As with installing any IDS, you must know your network very thoroughly. You need to know the devices, the architecture, the protocols and the traffic. This helps you not only deploy your sensors optimally, but also to tune your rules adequately.

You mentioned ACID/BASE and SnortCenter as complementary tools for Snort users. Could you tell us more about them?

Orebaugh: ACID/BASE is a PHP-based web GUI for log analysis. Its features include a search engine, packet viewer, alert management and graphing and statistics generation. Its Web front end is easy to use and makes the administrator's job of managing alerts and logs a lot easier.

SnortCenter manages remote sensors in a Web-based client-server method. It is written in PHP and Perl. Both the management console and sensor agents can be installed on Unix and Windows.

The SnortCenter management console allows you to build configuration files and then send them to remote sensors. SnortCenter has several useful features, including encryption of client-server traffic, authentication, the ability to push new configurations and the ability to update and import new Snort signatures automatically.

Why might Snort be a good tool to use with open source databases, like MySQL and Postgres?

Orebaugh: Snort and Barnyard both have built-in functionality to log to MySQL and Postgres databases. Add-on tools such as ACID/BASE also work with these databases. There is a lot of documentation on integrating Snort and its add-on tools with MYSQL and Postgres. Once again, the fact that these are free doesn't hurt!

Orebaugh: Some administrators wish to run Snort in the background and start it up at boot time. Snort can be run in the background as a daemon process using the -D command line option. The Snort command can be added to the /etc/rc.d/rc.local script to run at boot time. This will run Snort in continual-processing mode; however, it is useful only if you are getting good notifications from Snort; otherwise you are effectively ignoring it.

One of your book's topics is "basic rules you shouldn't leave home without." Could you describe two or three of those rules and make some generalizations about choosing rules?

Orebaugh: Rulesets should be customized to each network in order to minimize false positives and false negatives. However, some rules can apply to almost any organization. These typically include rules to alert on worm activity and malware.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy